Re: How to Change Win 2000 Cached Account Password?

From: Steven Umbach (n9rou_at_comcast.com)
Date: 09/16/03 

Date: Tue, 16 Sep 2003 00:25:21 GMT

I have never read or figured a way to change cached credentials without
connecting to the domain. You may want to create two separate accounts - one for
domain, and one for vpn. You could configure vpn account password to not expire.
You could also use security policy user right assignment for allow/deny network
access to control which computers the vpn users can access if you want to beef
up security for vpn access. Posting in the ras_routing newsgroup may bring some
helpful feedback. --- Steve

"Some One" <garg444NOSPAM@yahoo.com> wrote in message
news:7yc9b.20190$cJ5.2823@www.newsranger.com...
> I have two identical computers in two locations (W2K Pro).
> They only have domain accounts (same id/password).
> First PC has direct network connection. Second PC
> is accessing network via VPN, cached credentials are used
> to log in first.
> There is rarely any need to access domain resources from the 2nd PC.
> When domain password is periodically changed on the first computer
> (due to security policy), I still have to log in to the 2nd PC
> with an old password, and still can access network via VPN.
> However, doing that locks the domain account out (apparently
> either VPN software sends cached domain credentials / old domain
> password to the network, or something else does that, even though
> there is no need to use domain resources, and VPN still works
> just fine with locked out account).
>
> Is it possible to:
> 1. Update the domain password on the 2nd computer w/o physical connection
> to domain (I suppose that'll be hard to do) or
> 2. If the credentials are stored in some specific files or registry
> entries, where are these located. Can these files be copied to the
> 2nd PC to change password this way?
> 3. Anything else I can do to solve this problem (can't create
> local account).
>
> Thanks for any suggestions.
>
>

Relevant Pages

  • Re: Possible inside security breach
    ... By default "authenticated users" can add up to ten workstations to a domain which ... means that ANYONE that know a logon/password for a domain account can add a ... ipsec policy to use for network communications restricted to only domain ... > who connect via a VPN. ...
    (microsoft.public.win2000.security)
  • Re: Add domain user to client computer.
    ... They should be able to use cached credentials when out of the office/away ... from the network. ... then it will not allow a domain logon. ... you do not have a domain user account, ...
    (microsoft.public.windows.server.sbs)
  • VPN/LAN Troubleshootin
    ... Some of you might remember how I had a problem with a VPN ... share requiring the person to enter a password and the ... There was a tip to just create the same account with the ... same passwords from every user on the network on the host ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Restricting VPN access
    ... I think you have to create a firewall rule on ISA where the source is the ... VPN CLient network, and the destination is your machine (an object you ... users(even adding deny access to the account we want to restrict). ... I've tried having the vpn user log out and back in to see if that helped. ...
    (microsoft.public.isa.vpn)
  • Re: Add domain user to client computer.
    ... They should be able to use cached credentials when out of the office/away ... from the network. ... then it will not allow a domain logon. ... you do not have a domain user account, ...
    (microsoft.public.windows.server.sbs)
Quantcast